PDF malware analysis — malicious · ca81f75ec38fd310

MALICIOUS

PDF

49.1 KB Authoring application: Karbon

MD5: 464aa024ae78b54f1fb45ca3a8c169bb SHA-1: 02b3f81927b3e5adbe8e1abe4929f1c591b61231 SHA-256: ca81f75ec38fd3104573fbec5de897c63bb9d47ee5827989324ba3b56df83741

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, indicating a link farm or redirection mechanism. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic generation. No scripts were extracted from this sample, and the document body content is heavily corrupted, limiting further analysis of the specific lure.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.zibc.net/uploads/1/3/0/5/130588164/xujusejobilo-wuxubefaduze.pdf
- http://nashvilleweaverwedding.com/uploads/1/3/0/2/130287238/ac8c162a102f.pdf
- http://bestofthemenu.com/uploads/1/3/0/7/130775382/wefowexora.pdf
- http://nsucc.com/uploads/1/3/0/5/130551091/c888e527b42e7.pdf
- http://susanwhitingyoga.com/uploads/1/3/0/4/130489097/474455.pdf
- http://71delmar.com/uploads/1/3/0/6/130620438/4415406.pdf
- http://designerfundraising.org/uploads/1/3/0/6/130605358/57aa255cc9d656.pdf
- http://sugarnspiceflorist.com/uploads/1/3/0/4/130489958/zofowekit_sezafurevukod_kagapirok.pdf
- http://americaninfousa.net/uploads/1/3/0/8/130814258/9052535.pdf
- http://innovalprocess.net/uploads/1/3/0/4/130435555/7304953.pdf
- http://roleofsource.com/uploads/1/3/0/4/130435649/9737783.pdf
- http://thegrosses.net/uploads/1/3/0/6/130604690/5437069.pdf
- http://mostloyalfan.com/uploads/1/3/0/7/130740556/1c693.pdf
- http://abeautifulmesstx.com/uploads/1/3/0/2/130291910/vafijusofabu_bijuwabulu_dejipudolexu_gorininode.pdf
- http://www.kwcoachclaudia.com/uploads/1/3/0/9/130969241/3898534.pdf
- http://homerestorems.com/uploads/1/3/0/4/130476010/zorumunazosexag_boporeg.pdf
- http://neufeldvolk.com/uploads/1/3/0/4/130476135/8fd660f60a60d0.pdf
- http://www.asphaltpavingtampa.co/uploads/1/3/0/8/130874099/nomudaxogonut-jojorebokazem-fotosakufomavo-wibufizoroz.pdf
- http://thecountpro.com/uploads/1/3/0/6/130604129/4596831.pdf
- http://la-screenranter.com/uploads/1/3/0/8/130814636/5692076.pdf
- http://tireshopphoenix.pro/uploads/1/3/0/6/130621217/wegok-pirewosefole-waxujotufeju-mulipisipo.pdf
- http://pt.gobrazil.co.uk/uploads/1/3/0/4/130435712/aca87b26ca6.pdf
- http://mattinablue.com/uploads/1/3/0/7/130776850/f8dc5.pdf
- http://mychickadeesfuntasticnest.com/uploads/1/3/0/6/130622047/jupazus.pdf
- http://thekyur.com/uploads/1/3/0/4/130489423/wugefavorakok.pdf
- http://xinleyuanyulecheng.br3h.com/uploads/1/3/0/5/130551241/130551241.html#ssc+stenographer+2019+question+paper+with+answer+key+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004190.bin` `c6c28444bcd94379862b6cc7f8cfcdbcdaeb026857ccdb099d87626a561054a6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4190	16092 bytes
`font_01_sfnt_off0000594b.bin` `de214a998aedac5e56f004857126b6b8b190c2945827295224482049c2fe874d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x594B	8788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.